I'm pretty sure I understand the Access Rules fairly well. I configured my Vlans in this order of security (highest to lowest): Inside, DMZ, WIFI, Outside. I intentionally configured them this way so that users of the wifi ONLY have access to the internet. I simply added a Dynamic NAT rule to permit NATing with the internet (outside). Wifi works.

I did not do the initial configuration of this ASA and I would like to figure out why traffic is allowed from "Point A" to "Point B". I'm trying to understand the traffic flow. So really I want to first start by asking why is traffic allowed from VPN (192.168.10.0/24) to DMZ (192.168.100.0/24) without any NAT rules? I have to add a NAT rule to allow VPN -> Wifi and VPN -> Inside. But for some reason, VPN -> DMZ works without any NAT configuration...

Also, when would one use a Nat Exempt rule over a NAT Static rule? What are the differences between them?

The initial configuration included a static rule:

static (inside,dmz) 192.168.100.0 192.168.0.0 netmask 255.255.255.0

This allowed inside <-> DMZ. So logically I assumed that another static rule would allow inside <-> Wifi. This did not work. I used this command:

static (inside,wifi) 192.168.2.0 192.168.0.0 netmask 255.255.255.0

So then I tried a NAT Exempt rule, and I was able to gain access to 192.168.2.0 from inside.

NAT Excemption is NAT0STATIC NAT is different because the NAT excemption is only for outgoing traffic. STATIC NAT is bidirectional. This means that with NAT excemption, traffic can only be initiated from a higher-security interface. The traffic can be sent back only if there's a session established.

"If there's no ''nat-control'' on your configuration, then traffic can flow between interfaces without NAT."

If I remove the NAT exempt rule, I can not access the DMZ from Inside. ??? Same with the NAT exempt rule for the Wifi. If I remove it, I can not access the wifi from Inside.

I really need a good explanation of the different NAT rules. Really the only one I understand is the Dynamic Rule. For the most basic "usable" configuration with just 2 interfaces (inside and outside), you would only need a Dynamic rule.

When you have nat-control enabled, you need to define a NAT rule in order to communicate between interfaces. This rule can actually translate the traffic or it can be an identity rule to bypass NAT. But there has to be a matching NAT rule for any traffic.

The above NAT, bypasses NAT between the traffic specified in the ACL. This is called NAT Excemption.

NAT 0 alone:

nat (inside) 0 192.168.0.0 255.255.255.0

This is called NAT Identity and its purpose is to define a NAT rule to avoid NATing the traffic from the insideinterface. As I said, when you have NAT-CONTROL enabled, there should be a NAT rule for commucation (even if you're NATing the traffic or NAT).

static (in,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

The above static is also bypassing NAT for the inside network, but its bidirectional. NAT 0 alone is only for outbound traffic.

Actually yea, I would like that. But at this point it doesn't really matter anyway. Because all my interfaces (except outside) are using a dynamic NAT/PAT. Which forces you to add other NAT rules for internal communication, otherwise all traffic gets PATed/NATed through Outside.

I still would appreciate why a static rule does not work between inside <-> wifi. If I enable this rule I get a Land Attack when I view the logs. But if I enable the same rule, just with the DMZ interface/ips, it works perfectly. Why doesn't a static rule work in this case?

Also is my configuration "ok". Is there anything that could potentially cause problems in the future. Is it best way of doing this?

I need all of this conditions meet:

Inside -> Outside nat (inside) 1 0.0.0.0 0.0.0.0

Wifi -> Outside nat (wifi) 1 0.0.0.0 0.0.0.0

DMZ -> Outside nat (dmz) 1 0.0.0.0 0.0.0.0)

Inside -> wifi (for administration of access point, but wifi users should not be able to access network resources on Inside)

Inside -> DMZ (for administration of security cameras, but should not be able to access network resources on Inside)